Certificate reference VMware
Details of all API Connect TLS certificates on VMware.
Add the flag
--endpoints
to see only user-facing endpoint certificates. Add the flag
--creds
to see only credentials and encryption secrets.
Common certificates
Common certificates exist in all subsystems of an API Connect deployment, and must be identical in each subsystem to enable them to communicate with each other.
Because you deploy your API Connect subsystems from a single project directory, these certificates are automatically set to be the same on all subsystems.
Certificate name | Description |
---|---|
root-ca |
CA certificate that is the root of the certificate chain for all other API Connect certificates. Do not update this certificate. |
ingress-ca |
Intermediate CA certificate used to generate all API Connect ingress certificates. Do not customize this certificate. If the certificate expires (duration is 20 years), see: Renewing ingress-ca. If you have multiple data centers that are managed from different project directories, you can synchronize this certificate, see: Synchronizing the ingress-ca certificate. |
appliance-client |
A client certificate that is used by the apicup command to communicate with the API Connect subsystem appliances. Requires EKU Do not update this certificate. |
k8s-ca |
CA certificate that forms the root of the certificate chain for the Kubernetes cluster components that run in the API Connect subsystem appliance. Do not update this certificate. |
Management certificates
Certificate name | Description |
---|---|
portal-client |
The For successful portal registration the
portal-client certificate must meet these requirements:
If you have a multiple data center deployment, both data centers must use an identical subject name. This certificate is loaded by the management subsystem into the Do not update this certificate. |
analytics-client-client |
A legacy certificate, it is not used from v10.0.5 onwards. |
analytics-ingestion-client |
The For successful analytics registration the
analytics-ingestion-client certificate
must meet these requirements:
This certificate is loaded by the management subsystem into the For multiple data center deployments, both data centers must have an identical subject name. Do not update this certificate. |
platform-api |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
consumer-api |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
api-manager-ui |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
cloud-admin-ui |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
hub |
Used by the Automated API behavior testing
application. User-facing ingress certificate for the |
management-replication-client |
Used in 2DCDR deployments only. The Requires EKU |
management-replication-ingress |
Used in 2DCDR deployments only. The management-replication-ingress must be valid for the endpoint defined by
Requires EKU |
Portal subsystem certificates
The following table lists the certificates that exist on the management subsystem, in addition to the common certificates.
Certificate name | Description |
---|---|
mgmt-consumer-api |
The This certificate must be identical to the Do not update this certificate. |
mgmt-platform-api |
The This certificate must be identical to the Do not update this certificate. |
portal-admin-ingress |
The Do not update this certificate. |
portal-replication-client |
Used in 2DCDR deployments only. The Requires EKU |
portal-replication-ingress |
Used in 2DCDR deployments only. The portal-replication-ingress must be valid for the endpoint defined by
Requires EKU |
portal-www-ingress |
The The endpoint is called |
Analytics subsystem certificates
The following table lists the certificates that exist on the management subsystem, in addition to the common certificates.
Certificate name | Description |
---|---|
analytics-ca |
Internal certificate used for communication between analytics subsystem components. Do not update this certificate. |
analytics-ingestion-ingress |
The
analytics-ingestion-ingress certificate is an inter-subsystem ingress
certificate that is used to secure the analytics ingestion endpoint, which is used for the following:
Do not update this certificate. |
service-client |
Internal certificate used for communication between analytics subsystem components. Do not update this certificate. |
service-server |
Internal certificate used for communication between analytics subsystem components. Do not update this certificate. |
Ingress certificates
ingress-ca
. If you renew your ingress-ca
certificate, then you
must also renew all the ingress end-entity certificates that are listed in this table. For steps on
renewing the ingress-ca
, see Renewing ingress-ca.
Certificate name | Description |
---|---|
portal-client |
The For successful portal registration the
portal-client certificate must meet these requirements:
If you have a multiple data center deployment, both data centers must use an identical subject name. This certificate is loaded by the management subsystem into the Do not update this certificate. |
analytics-client-client |
A legacy certificate, it is not used from v10.0.5 onwards. |
analytics-ingestion-client |
The For successful analytics registration the
analytics-ingestion-client certificate
must meet these requirements:
This certificate is loaded by the management subsystem into the For multiple data center deployments, both data centers must have an identical subject name. Do not update this certificate. |
platform-api |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
consumer-api |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
api-manager-ui |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
cloud-admin-ui |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
hub |
Used by the Automated API behavior testing
application. User-facing ingress certificate for the |
portal-admin-ingress |
The Do not update this certificate. |
portal-www-ingress |
The The endpoint is called |
analytics-ingestion-ingress |
The
analytics-ingestion-ingress certificate is an inter-subsystem ingress
certificate that is used to secure the analytics ingestion endpoint, which is used for the following:
Do not update this certificate. |
management-replication-client |
Used in 2DCDR deployments only. The Requires EKU |
management-replication-ingress |
Used in 2DCDR deployments only. The management-replication-ingress must be valid for the endpoint defined by
Requires EKU |
mgmt-consumer-api |
The This certificate must be identical to the Do not update this certificate. |
mgmt-platform-api |
The This certificate must be identical to the Do not update this certificate. |
portal-replication-client |
Used in 2DCDR deployments only. The Requires EKU |
portal-replication-ingress |
Used in 2DCDR deployments only. The portal-replication-ingress must be valid for the endpoint defined by
Requires EKU |
User-facing certificates
Certificate name | Description |
---|---|
portal-www-ingress |
The The endpoint is called |
api-manager-ui |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
cloud-admin-ui |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
consumer-api |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
platform-api |
The The endpoint in the management subsystem configuration uses the same name:
The hostnames for which the certificate is valid must include the Requires EKU |
hub |
Used by the Automated API behavior testing
application. User-facing ingress certificate for the |